Virtual Administrator’s March 2020 Patch Recommendations

This month Microsoft released patches for 115 vulnerabilities with 26 rated “Critical” in severity.

 

All patches have been approved in our patch policy.

 

Another large patch month but few problems reported.  No zero-days release and no new vulnerabilities currently being exploited. Adobe has released no patches for March.  There was some confusion with a SMBv3 vulnerability forcing Microsoft to release a new Cumulative Update on March 12 replacing the original March 10 patch. Also Microsoft released an optional update KB4535996 on February 27 that had a number of bugs. This update has replaced by the regular Patch Tuesday update. We have not seen reports that the new update is causing the same issues.

Deny KB4535996 – On February 27th Microsoft release KB4535996 as an optional Cumulative Update for Windows 10 Version 1909/1903. We do not release any patches other than zero-days outside of the normal Patch Tuesday cycle.  KB4535996 had a number of reported bugs and is replaced by the regular monthly update KB4551762. You can deny KB4535996 if you like but it should not be offered to machines as it has been superseded by the new one.

FYI – Apparently Microsoft was going to release a patch for the SMBv3 vulnerability but backed off at the last minute. They release the initial Cumulative Update for Windows 10 KB4540673 on March 10th without it but did not tell all the vendors who were given prior notice about the vulnerability. Some of those vendors posted details about the unpatched SMBv3 vulnerability. Microsoft quickly released KB4551762 including the SMBv3 fix.

Heads Up!  Last month’s Microsoft Exchange (CVE-2020-0688) KB4536987, KB4536988 and KB4536989 has seen an increase in known targeted attacks. Make sure you have this installed.

FYI [ADV990001]New Servicing Stack Updates (SSU) for all operating systems. Up to date SSUs are critical. Many do not show up in the regular Windows Updater scans and should be installed in the background automatically.  ClubMSP offers scripts to audit the current SSU version as well as installation scripts. It is recommended that all partners run the “MS Stack Audit” to determine if their machines are current. “MS Stack Audit AIO” can be used to install the newest SSU if necessary.

 

Disclosed: None

Exploited: None

 

Security Update Guide

https://portal.msrc.microsoft.com/en-us/security-guidance

Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com

 

Affected software include:

  • Microsoft Windows
  • Microsoft Edge (EdgeHTML-based)
  • Microsoft Edge (Chromium-based)
  • ChakraCore
  • Internet Explorer
  • Microsoft Exchange Server
  • Microsoft Office and Microsoft Office Services and Web Apps
  • Azure DevOps
  • Windows Defender
  • Visual Studio
  • Open Source Software
  • Azure
  • Microsoft Dynamics

 

Microsoft Security Advisories

 

ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:3/12/2020)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001

Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.

 

ADV200005 | Microsoft Guidance for Disabling SMBv3 Compression (Published:03/10/2020)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005

Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client.

 

Known Issues

Windows 10 has issues when using Windows Server containers with 32-bit applications and processes.  There is also an issue with the Extended Security Updates (ESU) releases for Windows 7/8.1 and Server 2008/2008R2. The patch for Microsoft Exchange Server 2016/2019 has the longstanding issue with manual installs as reported in previous months.  The issue does not occur when you install the update through Microsoft Update.

Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.

 

Windows 10

https://support.microsoft.com/en-ca/help/4551762

Symptom: When using Windows Server containers with the March 10, 2020 updates, you might encounter issues with 32-bit applications and processes.

Workaround: For important guidance on updating Windows containers, please see Windows container version compatibility. (Here: https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility)

 

Windows 7/8.1 and Server 2008/2008R2

https://support.microsoft.com/en-ca/help/4540688/windows-7-update-kb4540688

Symptom: After installing this update and restarting your device, you might receive the error, “Failure to configure Windows updates. Reverting Changes. Do not turn off your computer,” and the update might show as Failed in Update History.

Workaround: See KB above

 

Good resource for known issues with Windows 10 patches. Click on the version in the left column for the status of known issues.

Windows 10 release information

https://docs.microsoft.com/en-us/windows/release-information/

 

Monthly Rollup/Security Only/Windows 10/Server 2016,2019 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

 

Security and Quality Rollup

  • KB4540688 – Windows 7, Windows Server 2008 R2 (ESU)
  • KB4541509 – Windows 8.1, Windows Server 2012 R2
  • KB4541510 – Windows Server 2012
  • KB4541506 – Windows Server 2008 (ESU)

 

Security Only Update

  • KB4541500 – Windows 7, Windows Server 2008 R2 (ESU)
  • KB4541505 – Windows 8.1, Windows Server 2012 R2
  • KB4540694 – Windows Server 2012
  • KB4541504 – Windows Server 2008 (ESU)

 

Cumulative Update for Windows 10

  • KB4540693 – Original release version 1507 (OS Build 10240)
  • None – Version 1511 (OS Build 10586)
  • KB4540670 – Version 1607 “Anniversary Update” (OS Build 14393)
  • KB4540705 – Version 1703 “Creators Update” (OS Build 15063)
  • KB4540681 – Version 1709 “Fall Creators Update” (OS Build 16299)
  • KB4540689 – Version 1803 “Spring Creators Update” (OS Build 17134)
  • KB4538461 – Version 1809 “October 2018 Update” (OS Build 17763)
  • KB4551762 – Version 1903 “May 2019 Update” (OS Build 18362)
  • KB4551762 – Version 1909 “November 2019 Update” (OS Build 18363)

Note: Server 2016 uses the same KB as Windows 10 Version 1607. Server 2019 uses the same KB as Windows 10 Version 1809.

 

KB4540671 – Cumulative Security Update for Internet Explorer 9/10/11

This cumulative update is included in the monthly updates listed above. It can be installed instead of the monthly to secure Internet Explorer otherwise it is “superseded” by the monthly update.

 

None – Security Update for Adobe Flash Player

 

March 2020 updates for Microsoft Office

https://support.microsoft.com/en-us/help/4538705/march-2020-updates-for-microsoft-office

 

Notable CVEs

CVE-2020-0796 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability (Cumulative Update)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.

To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.

The security update addresses the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests.

 

CVE-2020-0852 | Microsoft Word Remote Code Execution Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0852

A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. For example, the file could then take actions on behalf of the logged-on user with the same permissions as the current user.

To exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Word software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.

Note that Microsoft Outlook Preview Pane is an attack vector for this vulnerability.

The security update addresses the vulnerability by correcting how Microsoft Word handles files in memory.

 

CVE-2020-0684 | LNK Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0684

A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The attacker could present to the user a removable drive, or remote share, that contains a malicious .LNK file and an associated malicious binary. When the user opens this drive(or remote share) in Windows Explorer, or any other application that parses the .LNK file, the malicious binary will execute code of the attacker’s choice, on the target system.

The security update addresses the vulnerability by correcting the processing of shortcut LNK references.

 

CVE-2020-0872 | Remote Code Execution Vulnerability in Application Inspector

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0872

A remote code execution vulnerability exists in Application Inspector version v1.0.23 or earlier when the tool reflects example code snippets from third-party source files into its HTML output. An attacker who exploited it could send sections of the report containing code snippets to an external server.

To exploit the vulnerability, an attacker needs to convince a user to run Application Inspector on source code that includes a malicious third-party component.

The update addresses the vulnerability by adding output encoding to the HTML report blocking an attacker’s ability to initiate a JavaScript action.

Additional details can be found in the Application Inspector project on GitHub.